The Garden-Hose Game 



A New Model of Computation, and Application to 
Position-Based Quantum Cryptography 

Harry Buhrman*, Serge Fehr, Christian Schaffner**, and Florian Speelman* 

Centrum Wiskunde & Informatica (CWI), The Netherlands 
University of Amsterdam, The Netherlands 



Abstract. We study position-based cryptography in the quantum setting. We examine a class 
of protocols that only require the communication of a single qubit and 2n bits of classical 
information. To this end, we define a new model of communication complexity, the garden- 
hose model, which enables us to prove upper bounds on the number of EPR pairs needed to 
attack such schemes. This model furthermore opens up a way to link the security of quantum 
position-based cryptography to traditional complexity theory. 

1 Introduction 

Background: Position-based (Quantum) Cryptography 

The goal of position-based cryptography is to use the geographical position of a party as its only 
"credential" . For example, one would like to send a message to a party at a geographical position pas 
with the guarantee that the party can decrypt the message only if he or she is physically present at pas. 
The general concept of position-based cryptography was introduced by Chandran, Goyal, Moriarty 
and Ostrovsky |(X;M()09| . 

A central task in position-based cryptography is the problem of position-verification. We have 
a prover P at position pas, wishing to convince a set of verifiers Vq, . . . ,Vk (at different points in 
geographical space) that P is indeed at that position pos. The prover can run an interactive protocol 
with the verifiers in order to convince them. The main technique for such a protocol is known as 
distance bounding |BC94] . In this technique, a verifier sends a random nonce to P and measures the 
time taken for P to reply back with this value. Assuming that the speed of communication is bounded 
by the speed of light, this technique gives an upper bound on the distance of P from the verifier. 

The problem of secure position- verification has been studied before in the field of wireless security, 
and there have been s everal proposals for this task f |BC94ISSW03IVN04IBus04ICH05ISP05IZLFW06ICCS06] ) . 
However, |CGM0d9] shows that there exists no protocol for secure position- verification that offers se- 
curity in the presence of multiple colluding adversaries. In other words, the set of verifiers cannot 
distinguish between the case when they are interacting with an honest prover at pos and the case 
when they are interacting with multiple colluding dishonest provers, none of which is at position pos. 

The impossibility result of |CGM0d9] relies heavily on the fact that an adversary can locally store 
all information he receives and at the same time share this information with other colluding adver- 
saries, located elsewhere. Due to the no-cloning theorem, such a strategy will not work in the quantum 
setting, which opens the door to secure protocols that use quantum information. The quantum model 
was first studied by Kent et al. under the name of "quantum tagging" jKMSB06|KMSll] . Several 



* Supported by a NWO VICI grant and the EU 7th framework grant QCS. 

* Supported by a NWO VENI grant. 



schemes were developed |KMSlllMallOalCFG+10IMailOblLLll| and proven later to be insecure. Fi- 
nally in |BCF+11) it was shown that in general no unconditionally secure quantum position- verification 
scheme is possible. Any scheme can be broken using a double exponential amount of EPR pairs in the 
size of the messages of the protocol. Later, Beigi and Konig improved in |BKllj the double exponential 
dependence to single exponential making use of port-based teleportation [IH 08IIH09] . 

Due to the exponential overhead in EPR pairs, the general no-go theorem does not rule out the 
existence of quantum schemes that are secure for all practical purposes. Such schemes should have 
the property that the protocol, when followed honestly, is feasible, but cheating the protocol requires 
unrealistic amounts of resources, for example EPR pairs or time. 

Analyzing the Beigi-Konig Scheme 

To this end, Beigi and Konig [BKllj proposed a position- verification scheme using mutually unbiased 
bases. They showed that if the colluding parties are not allowed to send quantum, but only classical 
information to each other, then a linear amount of entanglement is necessary to break the scheme. 
They left open whether more entanglement was needed. As a first contribution, we close this gap and 
show that a linear number of EPR pairs is also sufficient to break the scheme. 

An Interesting Class of Schemes 

Furthermore, we consider a class of schemes that only involve a single qubit, and 2n classical bits. Such 
schemes were first considered by Kent et al. (KMSllj . We focus on the one-dimensional set-up. The 
schemes easily generalize to three-dimensional space. The prover wants to convince the two verifiers, 
Vq and Vi, that he is at position pos on the line in between them. Vq sends a qubit \(f>) prepared in a 
random basis to P. In addition, Vq sends a string x G {0, 1}" and Vi a y G {0, 1}" to P. All messages 
are timed such that they arrive at the same time at P's claimed position. After receiving \4>),x and 
y, P computes a predetermined Boolean function /(x, j/)j^He sends {(j)) to Vq if f{x,y) — and to 
Vi otherwise. Vq and Vi check that they receive the correct qubit in time corresponding to pos and 
measure the received qubit in the basis corresponding to which it was prepared. In order to cheat 
the scheme, we imagine two provers Pq and Pi on either side of the claimed position pos, who try to 
simulate the correct behavior of an honest P at pos. 

The attack described in (KMSllj and the general no-go theorems from |BCF+ll|BKllj imply 
that there is a strategy for Pq and Pi such that they can accomplish the following. Pq receives \(f>),x 
and Pi receives y. They are allowed to simultaneously send a single message to each other such 
that upon receiving that message they both know f{x,y) and if f{x,y) — then Pq still has 
otherwise Pi has it in his possession. This teleportation-based cheating strategy however requires 
an exponential amount of EPR pairs (in n). We show in this paper that the number of EPR pairs 
required for such a protocol can be upper-bounded by a complexity measure that is related to the 
non-uniform space complexity of computing /. This complexity can sometimes be much smaller. For 
example, it follows that if /(x, y) can be computed in logspace, then there is a cheating strategy that 
only requires a polynomial amount of entanglement. Our proof is inspired by permutation branching 
programs introduced by Barrington jBar89] and a general technique to make log-space computations 
reversible LMT97 . 

The motivation for considering this particular protocol for position-verification is the hope that 
for "complicated enough" functions f{x,y), the amount of entanglement needed to successfully break 
the security of the protocol grows (at least) linearly in the bit length n of the classical strings x, y. 

^ We assume for simplicity that computation does not take any time. 



2 



If this intuition is true, it is a very interesting property of the protocol that we obtain a favorable 
relation between quantum and classical difficulty of operations in the following sense: if we increase 
the length of the classical inputs a;, y, we require more classical computing power of the honest prover, 
whereas more quantum resources (in form of entangled states) are required by the adversary to break 
the protocol. Thus, the more classical resources the honest users use to faithfully execute the scheme, 
the more quantum resources the adversary needs in order to break it. To the best of our knowledge, 
such a trade-off has never been observed for a quantum-cryptographic protocol. 

We give some first indications that the above may indeed be true. We show that if / is injective in 
X (meaning that Wxj^x' 3y : f{x, y) 7^ f{x\ y)) or in y (defined accordingly), then for any attack that 
succeeds with certainty, the two dishonest provers require a joint quantum working space consisting of 
at least a logarithmic amount of qubits in n. Also, we show that if the entangled starting state for the 
dishonest provers is fixed, e.g. a list of EPR pairs, then there exists a function / for which the starting 
state must consist of at least linearly many qubits in n to allow for a perfect attack. Restricting to 
perfect attacks makes the claims rather weak from a cryptographic point of view; we hope that this 
can be improved in future work. 

The Garden-Hose Complexity 

In order to isolate the properties of attacks on these one-qubit schemes, we define a new model of 
communication complexity which we call the garden-hose model. Alice and Bob as usual have to 
compute a Boolean function /(x, y). In order to do so they possess a number of water pipes that lay 
between them. Moreover, they each have additional pieces of hose that they can use to connect up 
the ends of the water pipes that are at their side. For example, Alice may choose to connect pipe 17 
with 19 and pipe 28 with 687 etc. Bob connects up the ends of the pipes on his side. For each input 
they can use a different connection scheme. In order to compute the function, Alice in addition has a 
source of water that she connects to one of the the pipes on her side. She now opens the water tap. 
It is easy to see that the water will flow out on one side only. If this is Alice's then they proclaim the 
function value to be otherwise the function value is 1. We define the garden- hose complexity of / to 
be the minimum number of pipes needed to compute /. 

The garden-hose model links the number of EPR pairs sufficient to attack a quantum position- 
verification scheme to traditional complexity theory: the number of EPR pairs needed for a successful 
attack is upper bounded by the garden-hose complexity of /. Unfortunately, so far it is unclear whether 
the garden-hose complexity by any means gives a lower bound on the number of EPR pairs needed. If it 
does, then this gives a nice handle on proving security of such schemes based on complexity-theoretical 
assumptions. In order to have a practical scheme, we will need a function / in the complexity class 
P that has "large" garden-hose complexity. The existence of a function in P with super-polynomial 
garden-hose complexity will separate the complexity class P from LOGSPACE, which is a long standing 
open problem. 

Beyond its connection to position-based quantum cryptography, we feel that the garden-hose com- 
plexity is interesting in its own right, and trying to understand its connections to other complexity 
measures appears like a challenging goal. In this paper we give some first answers, but many questions 
regarding the garden-hose complexity require further research. 

Summary 

In summary, the main results of this paper are the following: 

— We show that a quantum position- verification protocol by Beigi and Konig [BKll] can be attacked 
with a linear amount of EPR pairs, establishing that their lower bound is optimal up to a constant 
factor. 



3 



— We study an interesting class of position-verification schemes that may have the foUowing prop- 
erty: the more classical resources the honest users use to faithfully execute the scheme, the more 
quantum resources the adversary needs in order to break it. We give some first results towards 
proving this desirable property. 

— We introduce a new model of communication complexity, called the garden-hose model. The model 
is an abstraction of certain types of attacks against the above class of position- verification schemes. 
As such, tools from classical communication complexity can be used to obtain upper bounds on 
the number of EPR pairs needed to break a given scheme. 

— We prove almost-linear lower bounds in the garden-hose model for concrete functions like inner 
product, majority, and equality. We show that random functions have exponential garden-hose 
complexity. 

— We establish that all functions computable in log space have polynomial garden-hose complexity. 
As a corollary, we obtain the following interesting connection between proving the security of 
quantum protocols and classical complexity theory: If there is an / in P such that there is no 
attack on our scheme using a polynomial number of EPR pairs, then P 7^ LOGSPACE. 

— Our approach may lead to practical secure quantum position-verification schemes whose security 
is based on classical complexity-theoretical assumptions such as P is different from LOGSPACE. 

2 Preliminaries 

We assume that the reader is familiar with basic concepts of quantum information theory. We refer 
to |NCOO) for an introduction and merely fix some notation here. 

2.1 Quantum Teleportation 

An important example of a 2-qubit state is the EPR pair, which is given by \'P)ab — {\0)a\0)b + 
b)/V^ S Ha (8) = (g) and has the following properties: if qubit A is measured in the 
computational basis, then a uniformly random bit x € {0, 1} is observed and qubit B collapses to 
Similarly, if qubit A is measured in the Hadamard basis, then a uniformly random bit x € {0, 1} is 
observed and qubit B collapses to H\x). 

The goal of quantum teleportation is to transfer a quantum state from one location to another 
by only communicating classical information. Teleportation requires pre-shared entanglement among 
the two locations. To teleport a qubit Q in an arbitrary unknown state \iP)q from Alice to Bob, Alice 
performs a Bell-measurement on Q and her half of an EPR pair, yielding a classical measurement 
outcome k e {0, 1, 2, 3}. Instantaneously, the other half of the corresponding EPR pair, which is held 
by Bob, turns into the state crfc|'0), where ao,<Ji,cr2, cr^ denote the four Pauli-corrections {I, X, Z, XZ}, 
respectively. The classical information k is then communicated to Bob who can recover the state {ip) 
by performing at on his EPR half. 

3 On the (In) Security of a Proposed Protocol For Position Verification 
3.1 Mutually Unbiased Bases 

We use the following standard definition of mutually unbiased bases. 

Definition 3.1. Two orthonormal bases {\ef)}i=i,,,,^d o,nd {|ej)}j=i....,rf of are called mutually 
unbiased, «/ |(e°|e^)P = ^ holds for all i,j & {1, . . . ,d}. 



4 



A Pauli operator on an n-qubit state is the tensor product of n one-qubit Pauli matrices. Hence, 
there are 4" Pauh operators in total. For i G {0, 1, 2, S}", we can write the Pauh operator Oi as 

n 

fe=i 

where aj is the j-th Pauh matrix acting on qubit k (tensored with the identity on the other qubits). 

Excluding the identity, there are 4" — 1 Pauli operators. These can be partitioned in 2" + 1 distinct 
subsets consisting of 2" — 1 commuting operators each |LBZ02| . The 2" common eigenvectors of such 
a set of 2" — 1 commuting operators define an orthonormal basis. It can be shown that for any such 
partitioning, the resulting 2" + 1 bases are pairwise mutually unbiased jLBZ02j . We denote by |e°) 
the x-th basis vector of the a-th mutually unbiased basis of this construction, where x S {0, 1} and 
a G ^ for a set of 2" + 1 elements. 

In the following, we will exploit a special property of this construction of mutually unbiased bases 
in order to attack a protocol for position- verification recently proposed by Beigi and Konig |BK11) . 
In particular, we use the fact that applying a Pauli operator only permutes the basis vectors within 
every mutually unbiased basis, but does not map any basis vector into another basis. This property 
is captured by the following lemma. 

Lemma 3.2. Let U be an arbitrary Pauli operator on n qubits. For arbitrary a Cz A and x G {0, 1}", 
let |e°) be the x-th basis vector of the a-th mutually unbiased basis obtained from the construction 
above. Then, there exists z €E {0, 1}" such that U\e'^) = |e°). 

Proof. We can write U as 

n 

TT „1 Jl „n TT „k 

k=\ 

Assume |ej) is a common eigenvector of an internally commuting subset A of the Pauli operators, 
like described earher. Denote the 2" — 1 elements of A by with £e{l,...,2" — 1}. Note that 
CTofTi = OiGQ for i S {0,1,2,3} and OiUj = (— 1)'^'^ tJjCri for i,j G {1,2,3} and the Kronecker i5- 
function. Because |e°) is a common eigenvector of the Pauli operators in this set, it holds for all i that 
Of\e°;.) = A^le") for some eigenvalue Xg. To prove the claim, we show that U\e%) is also an eigenvector 
of all of, with some (possibly different) eigenvalue A^. 

n 

OfU\el) = X{aloXK) 

71 

k=l 

where we define := (— l)"'^'''^)Af and the function a{r,£) determines the phase arising from the 
commutation relations of the ar^^s and a^^^s. Because J7|e") is a common eigenvector of all Of, there 
exists z G {0, 1}" such that [e^) = U\e^). □ 



5 



3.2 The Protocol 



The protocol described in Figure[ljuses an (almost) complete set of mutually unbiased bases {\e'^)x=i,...,2"} 
as defined above. The protocol can be seen as a higher-dimensional extension of the basic BB84- 
protocols proposed and analyzed in |KMS11IBCF+11| . In |BK11| . Beigi and Konig show that PVmub 
is secure against adversaries that share fewer than n/2 EPR pairs and are restricted to one round of 
simultaneous classical communication. They leave open whether the protocol remains secure against 
colluding adversaries that share more entanglement. We answer this question here. In the rest of the 
section, we show that for the construction of MUBs mentioned above, it is sufficient for adversaries 
to share n EPR pairs in order to perfectly break the protocol PV^ub- It follows that the lower bound 
on the number of EPR pairs given in |BKllj is optimal up to constant factors. 



0. Vo and Vi share common (secret) randomness in the form of uniformly distributed bitstrings a,x £ 
{0,1}". 

1. Vb sends a to P and Vi prepares the state \e%) and sends it to P. The timing is chosen such that 
both the classical information and the quantum state arrive at the prover at the same time. 

2. P measures the state in the basis {|e")}i, getting measurement outcome x £ {0, 1}". He sends x to 
both Vo and Vi. 

3. Vo and Vi accept if they receive x at times consistent with x being emitted from the claimed position 
in both directions simultaneously, and x — x. 



Fig. 1. Protocol PVmub from |BK11| for position- verification using mutually unbiased bases. 



3.3 The Attack 



The attack reported here is very similar to the attack on the BB84-scheme described in |KMS11| . The 
colluding adversaries Pq en Pi set up between the prover's claimed position and the verifiers Vq and 
Vi, intercepting messages from Vq and Vi. 

Adversary Pq has knowledge of the basis a and Pi gets the state |e"). Our attack shows that 
using n ebits and one round of simultaneous classical communication suffices to determine x, and thus 
breaking protocol PVmub ■ We assume that the set of mutually unbiased bases used is equivalent to a 
basis obtained by a partitioning of Pauli operators as described above. To the best of our knowledge, 
any currently known construction of mutually unbiased basis sets of dimension 2" is of this form. If 
the used set of mutually unbiased bases differs from one of these by a unitary transform, the attack 
still works by the adversaries just applying this unitary before the first step. 

As soon as Pi receives the state |e°), she teleports it to Pq and forwards the classical outcome 
of the teleportation measurement indicating the needed Pauli correction U. Using Lemma |3.2[ the 
teleported state is still a basis vector of the same mutually unbiased basis, i.e. the state Pq has before 
correction is |e°), with z depending on the teleportation measurement outcome. Pq measures |e°) in 
basis a, getting outcome z which she sends to Pi. 

Now both adversaries hold a, z and the teleportation Pauli correction U. It is straightforward to 
(classically) derive the correct x, it is the measurement outcome in basis a of the state |e°) = U\e'^) 
after applying the Pauli correction U. 



6 



4 The Garden-Hose Game 



4.1 Motivation 



The results of this section are motivated by the study of a particular quantum protocol for secure 
position verification, described in Figure[2j The protocol is of the generic form described in Section 3.2 
of [BCF+11| . In Step ^ the verifiers prepare challenges for the prover. In Step [l] they send the 
challenges, timed in such a way that they all arrive at the same time at the prover. In Step[2l the 
prover computes his answers and sends them back to the verifiers. Finally, in Step [3] the verifiers 
verify the timing and correctness of the answer. 

As in [BCF"*"!! , we consider here for simplicity the case where all players live in one dimension, 
the basic ideas generalize to higher dimensions. In one dimension, we can focus on the case of two 
verifiers Vq, Vi and an honest prover P in between them. 

We minimize the amount of quantum communication in that only one verifier, say Vo, sends a 
qubit to the prover, whereas both verifiers send classical n-bit strings x,y G {0, 1}" that arrive at 
the same time at the prover. We fix a publicly known boolean function / : {0, 1}" x {0, 1}" — {0, 1} 
whose output f{x,y) decides whether the prover has to return the qubit (unchanged) to verifier Vq 
(in case f{x,y) — 0) or to verifier Vi {if f{x,y) = 1). 



0. Vo randomly chooses two n-hit strings x,y £ {0, 1}" and privately sends j/ to Vi. Vo prepares an EPR 
pair (|0)v|0)p + |l)v|l)p)/\/2. If f{x,y) = 0, Vq keeps the qubit in register V. Otherwise, Vq sends 
the qubit in register V privately to Vi. 

1. Vo sends the qubit in register P to the prover P together with the classical n-bit string x. Vi sends 
y so that it arrives at the same time as the information from Vo at P. 

2. P evaluates f{x,y) £ {0, 1} and routes the qubit to Vf(^x,y)- 

3. Vo and Vi accept if the qubit arrives in time at the right verifier and the Bell measurement of the 
received qubit together with the qubit in V yields the correct outcome. 



Fig. 2. Position- verification scheme PVqubit using one qubit and classical n-bit strings. 



The motivation for considering this protocol is the following: As the protocol uses only one qubit 
which needs to be correctly routed, the honest prover's quantum actions are trivial to perform. His 
main task is evaluating a classical boolean function / on classical inputs x and y whose bit size n 
can be easily scaled up. On the other hand, our results in this section suggest that the adversary's 
job of succesfuUy attacking the protocol becomes harder and harder for larger input strings x,y. The 
hope is that for "complicated enough" functions f{x,y), the amount of EPR pairs (ebits) needed to 
successfully break the security of the protocol PVq„bit grows (at least) linearly in the bit length n of 
the classical strings x, y. 

If this intuition can be proven to be true, it is a very interesting property of the protocol that 
we obtain a favorable relation between quantum and classical difficulty of operations in the following 
sense: if we increase the length of the classical inputs x, y, we require more classical computing power 
of the honest prover, whereas more quantum resources (ebits) are required by the adversary to break 
the protocol. To the best of our knowledge, such a trade-off has never been observed for a quantum- 
cryptographic protocol. 

In order to analyze the security of the protocol PVq^bit, we define the following communication 
game in which Alice and Bob play the roles of the adversarial attackers of PVqubjt. Alice starts with an 
unknown qubit |(/)) and a classical n-bit string x while Bob holds the n-bit string y. They also share 



7 



some quantum state \'q)AB and both players know the Boolean function / : {0, 1}" x {0, 1}" — ^ {0, 1}. 
The players are allowed one round of simultaneous classical communication combined with arbitrary 
local quantum operations. When f{x, y) = 0, Alice should be in possession of the state \(f)) at the end 
of the protocol and on f{x,y) — 1, Bob should hold it. 

As a simple example consider the case where f{x,y) = x (B y, the exclusive OR function, with 
1-bit inputs x and y. Alice and Bob then have the following way of performing this task perfectly 
by using a pre-shared quantum state consisting of three EPR pairs (three ebits) . Label the first two 
EPR pairs and 1. Alice teleports to Bob using the pair labeled with her input x. This yields 
measurement result i € {0,1,2,3}, while Bob teleports his half of the EPR pair labeled y to Alice 
using his half of the third EPR pair while obtaining measurement outcome j G {0, 1, 2,3} . In the 
round of simultaneous communication, both players send the classical measurement results and their 
inputs a; or y to the other player. If a; © y = 1, i.e. a; and y are different bits. Bob can apply the 
Pauli operator (7^ to his half of the EPR pair labeled x = y ® 1, correctly recovering Similarly, if 
X (By — 0, it is easy to check that Alice can recover the qubit by applying ai<7j to her half of the third 
EPR pair. 

If Alice and Bob are constrained to the types of actions in the example above, i.e., if they are 
restricted to teleporting the quantum state back and forth depending on their classical inputs, we 
obtain the following notion of garden-hose game and garden-hose complexity. 

4.2 Definition of the Garden-Hose Game 

Alice and Bob get n-bit input strings x and y, respectively. Their goal is to "compute" an agreed-upon 
Boolean function / : {0, 1}" x {0, 1}" — > {0, 1} on these inputs, in the following way. We assume that 
Alice and Bob have s pipes between them. Depending on their respective classical inputs x and y, they 
connect their ends of the pipes with pieces of hose, of which they have an unlimited amount. Note 
however, that we do not allow "T-pieces" (or more complicated constructions) of hose which connect 
two or more pipes to one, or vice versa; only one-to-one connections are allowed. Alice has a source of 
water which she connects to one of the pipes, and then she turns on the water. It is easy to check that 
no "deadlocks" are possible and hence the water will flow out on either of the sides. They succeed in 
computing / (we may also say: they win the garden-hose game), if the water comes out of one of the 
pipes on Alice's side whenever f{x, y) — 0, and the water comes out of one of the pipes on Bob's side 
whenever /(x, y) = 1. Note that it does not matter out of which pipe the water flows, only on which 
side it flows. We stress once more that what makes the game non-trivial is that Alice and Bob must 
do their "plumbing" based on their local input only, and they are not allowed to communicate. We 
refer to Figure |3] for an illustration of computing the XOR function in the garden- hose model. 

We can translate any strategy of Alice and Bob in the garden-hose game to a perfect quantum 
attack of PV^utit by using one EPR pair per pipe and performing Bell measurements where the players 
connect the pipes. Our hope is that also the converse is true in spirit: if many pipes are required to 
compute /, say we need superpolynomially many, then the number of EPR pairs needed for Alice 
and Bob to successfully break PV^^bit with probability close to 1 by means of an arbitrary attack (not 
restricted to Bell measurements on EPR pairs) should also be superpolynomial. We leave this as an 
interesting problem for future research. We stress that for this application, a polynomial lower bound 
on the number of pipes, and thus on the number of EPR pairs, is already interesting. 

We formalize the above description of the garden-hose game, given in terms of pipes and hoses 
etc., by means of rigorous graph-theoretic terminology. However, we feel that the above terminology 
captures the notion of a garden-hose game very well, and thus we sometimes use the above "watery" 
terminology. We start with a balanced bi-partite graph {A\J B^E) which is 1-regular and where the 
cardinality of A and B is \A\ = \B\ = s, for an arbitrary large s S N. We slightly abuse notation and 



8 



Alice Bob 




Fig. 3. Garden-hose game for the XOR function. 

denote both the vertices in A and in B by the integers 1, . . . , s. If we need to distinguish i £ A from 
i £ B, we use the notation and . We may assume that E consists of the edges that connect i £ A 
with i £ B for every i S {1, . . . ,s}, i.e., E — : 1 < i < s}. These edges in E are the pipes in 

the above terminology. We now extend the graph to {Ao U B, E) by adding a vertex to A, resulting in 
Ao = AU {0}. This vertex corresponds to the water tap, which Alice can connect to one of the pipes. 
Given a Boolean function / : {0,1}" x {0,1}" — > {0,1}, consider two functions Ea^ and Eb; both 
take as input a string in {0, 1}" and output a set of edges (without self loops). For any x,y € {0, 1}", 
Ea„ {x) is a set of edges on the vertices Ao and Eb{x) is a set of edges on the vertices B, so that the 
resulting graphs {Ao, Eao{x)) and (B, Esiy)) have maximum degree at most 1. EA^ix) consists of 
the connections among the pipes (and the tap) on Alice's side (on input x), and correspondingly for 
Esiu)- For any x,y £ {0, 1}", we define the graph G{x, y) — {Aq U B,EU Ea„ (x) U Esiy)) by adding 
the edges Ea^ (x) and Esiy) to E. G{x, y) consists of the pipes with the connections added by Alice 
and Bob. Note that the vertex € Aq has degree at most 1, and the graph G{x,y) has maximum 
degree at most two 2; it follows that the maximal path TT{x,y) that starts at the vertex e ylo is 
uniquely determined. tt{x, y) represents the flow of the water, and the endpoint of 7r(a;, y) determines 
whether the water comes out on Alice or on Bob's side (depending on whether it is in Aq or in B). 

Definition 4.1. A garden-hose game is given by a graph Junction G : {x,y) i— > G{x,y) as described 
above. The number of pipes s is called the size of G, and is denoted as s{G). A garden-hose game G 
is said to compute a Boolean function f : {0, 1}" x {0, 1}" — ^ {0, 1} if the endpoint of the maximal 
path n{x, y) starting at is in Ao whenever f(x, y) = and in B whenever f{x, y) = 1. 

Definition 4.2. The (deterministic) garden- hose complexity of a Boolean function f : {0, 1}" x 
{0, 1}" — > {0, 1} is the size s{G) of the smallest garden-hose game G that computes f. We denote it 
by GH{f). 

We start with a simple upper bound on GH{f) which is implicitly proven in the attack on Scheme 
II in [ KMSllj . 

Proposition 4.3. For every Boolean function f : {0, 1}" x {0, 1}" {0, 1}, the garden-hose com- 
plexity is at most GH{f) < 2" + 1. 



9 



Proof. We identify {0,1}" with {1,...,2"} in the natural way. For s — 2" + 1 and the resulting 
bipartite graph {Ao U B,E), we can define Ea^ and Eb as follows. Ea^ {x) is set to {(0, x)}, meaning 
that Alice connects the tap with the pipe labeled by her input x. To define Eb, group the set Z(y) — 
{a e {0, 1}" : f{a, y) = 0} arbitrarily into disjoint pairs {oi, 02} U {as, 04} U . . . U {a^-i, a^} and set 
EB{y) = {{oi, 02} , {03, 04} , . . . , {ai-i,a£}}. If £ = is odd so that the decomposition into pairs 

results in a left-over {a^}, then ai is connected with the "reserve" pipe labeled by 2" + 1. 

By construction, if x € Z{y) then x = ai for some i, and thus pipe a; = is connected on Bob's 
side with pipe a^-i or a^+i, depending on the parity of i, or with the "reserve" pipe, and thus 7r(x, y) 
is of the form Tr{x, y) = (0, x^, x^ ,v^), ending in Aq. On the other hand, if a; ^ ^(2/): then pipe x 
is not connected on Bob's side, and thus tt{x, y) — (0, x^, x^), ending in B. This proves the claim. □ 

We notice that the same proof shows that the garden-hose complexity GH{f ) is at most 2*^ -I- 1, when 
k is the the one-way communication complexity from Alice to Bob of /|^ 

We introduce the following terminology. We say that a function / : {0, 1}" x {0, 1}" {0, 1} 
is obtained from a function g : {0, 1}™ x {0, 1}™ — > {0, 1} by local pre-processing if / is of the form 
/(x, y) — g{a{x), l3{y)), where a and /3 are arbitrary functions {0, 1}" — >■ {0, 1}™. The following invari- 
ance under local preprocessing follows immediately from the definition of the garden-hose complexity. 

Lemma 4.4. /// is obtained from g by local pre-processing, then GH{f) < GH{g). 



4.3 Garden-Hose Complexity and Log-Space Computations 

The following theorem shows that for a large class of functions, a polynomial amount of pipes suffices 
to win the garden-hose game. A function / with an n-bit input is log-space computable if there is a 
deterministic Turing machine M and a constant c, such that M outputs the correct value of /, and at 
most c • logn locationfj^ of M's work tapes are ever visited by M's head during computation of every 
input of length n. 

Theorem 4.5. // / : {0, l}" x {0, 1}" — )• {0, 1} is log-space computable, then GH{f) is polynomial in 
n. 



In combination with Lemma |4.4[ it follows immediately that the same conclusion also holds for 
functions that are log-space computable up to local pre-processing, i.e., for any function / : {0, 1} x 
{0, 1}" — > {0, 1} that is obtained from a log-space computable function g : {0, 1}™ x {0, 1}™ {0, 1} 
by local pre-processing, where m is polynomial in n. Below, in Proposition [4?7j we show that log-space 
up to local pre-processing is also necessary for a polynomial garden-hose complexity. 



We will later see (Proposition 4.111 that there exist functions with large garden-hose complexity. 
However, a negative implication of Theorem |4.5| is that proving the existence of a polynomial-time 
computable function / with exponential garden-hose complexity is at least as hard as separating L 
from P, a long-standing open problem in complexity theory. 

Corollary 4.6. // there exists a function f : {0, 1}" x {0, 1}" — > {0, 1} in P that has superpolynomial 
garden-hose complexity, then P 7^ L. 



Proof (of Theorem 4-5 ). Let M be a deterministic Turing machine deciding f{x,y) = 0. We assume 
that M's read-only input tape is of length 2n and contains x on positions 1 to n and y on positions 
n + 1 to 2n. By assumption M uses logarithmic space on its work tapes. 



Or if needed, with a small adjustment in the protocol, 2*^ + 2 with k the one-way communication complexity 
of Bob to Alice. 

3 



All logarithms in this paper are with respect to base 2. 



10 



In this proof, a configuration of M is the location of its tape heads, the state of the Turing machine 
and the content of its work tapes, excluding the content of the read-only input tape. This is a slightly 
different definition than usual, where the content of the input tape is also part of a configuration. 
When using the normal definition (which includes the content of all tapes) , we will use the term total 
configuration. Any configuration of M can be described using a logarithmic number of bits, because 
M uses logarithmic space. 

A Turing machine is called deterministic, if every total configuration has a unique next one. A 
Turing machine is called reversible if in addition to being deterministic, every total configuration also 
has a unique predecessor. An S{n) space-bounded deterministic Turing machine can be simulated by 
a reversible Turing machine in space 0{S{n)) |LMT97| . This means that without loss of generality, 
we can assume M to be a reversible Turing machine, which is crucial for our construction. Let M 
also be ofe/iwoM^in the tape head movement on the input tape. This can be done with only a small 
increase in space by adding a counter. 

Alice's and Bob's perfect strategies in the garden-hose game are as follows. They list all configura- 
tions where the head of the input tape is on position n coming from position n + 1. Let us call the set 
of these configurations Ca- Let Cb be the analogous set of configurations where the input tape head 
is on position n + 1 after having been on position n the previous step. Because M is oblivious on its 
input tape, these sets depend only on the function /, but not on the input pair {x,y). The number 
of elements of Ca and Cb is at most polynomial, being exponential in the description length of the 
configurations. Now, for every element in Ca and Cb, the players label a pipe with this configuration. 
Also label \Ca\ pipes ACCEPT and \Cb\ of them REJECT. These steps determine the number of pipes 
needed, Alice and Bob can do this labeling beforehand. 

For every configuration in Ca, with corresponding pipe p, Alice runs the Turing machine starting 
from that configuration until it either accepts, rejects, or until the input tape head reaches position 
n+1. If the Turing machine accepts, Alice connects p to the first free pipe labeled ACCEPT. On a 
reject, she leaves p unconnected. If the tape head of the input tape reaches position n-f-l, she connects 
p to the pipe from Cb corresponding to the configuration of the Turing machine when that happens. 
By her knowledge of x, Alice knows the content of the input tape on positions 1 to n, but not the 
other half. Alice also runs M from the starting configuration, connecting the water source to a target 
pipe with a configuration from Cb depending on the reached configuration. 

Bob connects the pipes labeled by Cs in an analogous way: He runs the Turing machine starting 
with the configuration with which the pipe is labeled until it halts or the position of the input tape 
head reaches n. On accepting, the pipe is left unconnected and if the Turing machine rejects, the pipe 
is connected to one of the pipes labeled REJECT. Otherwise, the pipe is connected to the one labeled 
with the configuration in Ca, the configuration the Turing machine is in when the head on the input 
tape reached position n. 

In the garden-hose game, only one-to-one connections of pipes are allowed. Therefore, to check that 
the described strategy is a valid one, the simulations of two different configurations from Ca should 
never reach the same configuration in C^. This is guaranteed by the reversibility of M as follows. 
Consider Alice simulating M starting from different configurations c € Ca and c' G Ca- We have to 
check that their simulation can not end at the same d G Cb, because Alice can not connect both pipes 
labeled c and c' to the same d. Because M is reversible, we can in principle also simulate M backwards 
in time starting from a certain configuration. In particular, Alice can simulate M backwards starting 
with configuration d, until the input tape head position reaches n+1. The configuration of M at that 

* A Turing machine is called oblivious, if the movement in time of the heads only depend on the length of 
the input, known in advance to be 2n, but not on the input itself. For our construction we only require the 
input tape head to have this property. 



11 



time can not simultaneously be c and d , so there will never be two different pipes trying to connect 
to the pipe labeled d. 

It remains to show that, after the players link up their pipes as described, the water comes out on 
Alice's side if M rejects on input and that othcTwise the water exits at Bob's. We can verify 

the correctness of the described strategy by comparing the flow of the water directly to the execution 
of M. Every pipe the water flows through corresponds to a conflguration of M when it runs starting 
from the initial state. So the side on which the water flnally exits also corresponds to whether M 
accepts or rejects. □ 

Proposition 4.7. Let f : {0, 1}" x {0, 1}" — > {0, 1} be a Boolean function. If GH{f) is polynomial 

( in n), then f is log-space computable up to local pre-processing. 

Proof. Let G be the garden-hose game that achieves s{G) = GH(f ). We write s for s(G), the number 
of pipes, and we let Ea„ and Eb be the underlying edge-picking functions, which on input x and y, 
respectively, output the connections that Alice and Bob apply to the pipes. Note that by assumption, 
s is polynomial. Furthermore, by the restrictions on Ea^ and Eb, on any input, they consist of at 
most (s + l)/2 connections. 

We need to show that / is of the form f{x, y) ~ g{a{x), I3{y)), where a and /3 are arbitrary functions 
{0, 1}" — ^ {0, l}"*, / : {0, 1}"* X {0, 1}"' — {0, 1} is log-space computable, and m in polynomial in 
n. We define a and /3 as follows. For any x,y £ {0, 1}", a{x) is simply a natural encoding of Ea„ (x) 
into {0, 1}™, and is a natural encoding of Eb(ii) into {0, 1}™. In the hose-terminology we say 
that a{x) is a binary encoding of the connections of Alice, and is an encoding of the connections 
of Bob. Obviously, this can be done with m of polynomial size. Given these encodings, finding the 
endpoint of the maximum path 7r(.T, y) starting in can be done with logarithmic spac:e: at any point 
during the computation, the Tilling machine only needs to maintain a couple of pointers to the inputs 
and a constant number of binary flags. Thus, the function g that computes g{a{x), (3{y)) = f{x,y) is 
log-space computable in m and thus also in n. □ 



4.4 Lower Bounds 

In this section, we present lower bounds on the number of pipes required to win the garden-hose game 

for particular (classes of) functions. 

Definition 4.8. We call a function f injective for Alice, if for every two different inputs x and x' 
there exists y such that f{x, y) ^ f{x', y). We define injective for Bob in an analogous way: for every 
y ^ y' , there exists x such that f{x,y) ^ f{x,y') holds. 

Proposition 4.9. // / is injective for Bob or f is injective for Alice, then 

GH{f)\og{GH{f))>n. 

Proof. We give the proof when / is injective for Bob. The proof for the case where / is injective for 
Alice is the same. Consider a garden-hose game G that computes /. Let s be its size s{G). Since, on 
Bob's side, every pipe is connected to at most one other pipe, there are at most — 2'''°s(*) possible 
choices for EB{y), i.e., the set of connections on Bob's side. Thus, if 2''^°^^'^^ < 2", it follows from 
the pigeonhole principle that there must exist y and y' in {0,1}" for which Esiy) = Esiy'), and 
thus for which G{x,y) = G{x,y') for all x G {0,1}". But this cannot be since G computes / and 
f{x,y) ^ f{x,y') for some x due to the injectivity for Bob. Thus, 2*'°^'^**) > 2" which implies the 
claim. □ 



12 



We can use this result to obtain an almost linear lower bound for several functions that arc often 
studied in communication complexity settings such as: 

— Bit wise inner product: IP{x,y) — J^i^iVi (mod 2) 

— Equality: EQ(a;, y) = I iS x = y 

— Majority function: MAJ(a;, y) = 1 iff Xiyi > [f ] 

For the first two functions we have a method that is linear in the number of pipes, and our best upper 
bound of computing majority in the garden-hose model is quadratic. Specific constructions can be 
found in |Spell| . All of these functions are injective for both Alice and Bob, giving us the following 
corollary. 

Corollary 4.10. The functions bitwise inner product, equality and majority have garden-hose com- 
plexity at least . 

Proposition 4.11. There exist functions f : {0, 1}" x {0, 1}" {0, 1} for which GH{f) is exponen- 
tial. 

Proof. The existence of functions with an exponential garden-hose complexity can be shown by a 
simple counting argument. There are 2^ different functions f{x,y). For a given size s = s{G) of 
G, for every x G {0,1}", there are at most (s -)- 1)*+^ ways to choose the connections Ea^{x) on 
Alice's side, and thus there are at most ((s -f 1)*+^)^ = 2^ (s-i-i) iog(s+i) -^^^yg choose the function 
Ea„. Similarly for Eq, there arc at most 2^"*'°s(s) -^^ays to choose Eb- Thus, there arc at most 
22-2" (s+i) iog(s+i) yfg^yg clioosc G of size s. Clearly, in order for every function / to have a G of size 
s that computes it, we need that 2 • 2"(s 1) log(s -\-l)> 2^", and thus that (s -\- 1) log(s -h 1) > 2"-\ 
which means that s must be exponential. □ 



5 Lower Bound In The Real World 



In this section, we show that for a function that is injective for Alice or injective for Bob (according to 
Definition 4.8 1, the dimension of the state the adversaries need to handle (including possible quantum 



communication between them) in order to attack protocol PVq^bit perfectly has to be of order at least 
linear in the classical input size n. In other words, they require at least a logarithmic number of qubits 
in order to successfully attack PVq„bif We start by showing two lemmas. The actual bound is shown in 
Section 5.3 In the last section, we show that there exist functions for which perfect attacks on RVq^bit 
requires the adversaries to handle a polynomial amount of qubits. 



5.1 Localized Qubits 

Assume we have two bipartite states jV'^) and jf/'^) with the property that \tp'^) allows Alice to locally 
extract a qubit and {"ip^) allows Bob to locally extract the same qubit. Intuitively, these two states 
have to be different. 

More formally, we assume that both states consist of five registers R, A, A, B, B where registers 
R, A, B are one-qubit registers and A and B are arbitrary. We assume that there exist local unitary 
transformations U^^ acting on registers AA and Vgg acting on BB such thaij^ 

Uaa\^^°)b.aAbb = ® \P)abb (1) 

yBB\^''')RAABB = W)rB ® \Q)aAB > (2) 

^ We always assume that these transformations act as the identities on the registers we do not specify 
explicitly. 



13 



where \P)ra '■— (|00)_RA + |ll))i?,yi)/\/2 denotes an EPR pair on registers RA and \P) Xbb '"^"^^ \Q) aab 
are arbitrary pure states. 

Lemma 5.1. Let IV'"), &e states that fulfil and Then, 

K^^iv-^)! <i/2. 

Proof. Multiplying both sides of ([!]) with C/^^ and multiplying ([2| with V^^, we can write 
I I = I {P\ra{P\abb UaaKb \I^)rb\Q)aab I 

^\mRA{P'\ABB\P)RBmAAB\ 
= \{P'\ABB{P\RA\f3)RBmAAB\^ 

where we used that U^^ and V^g commute and defined \P')abb ^bb\^) abb ^^^'^ \Q')aab 
^aaIQ) AAB- "^^^ ^^^^ equality is just rearranging terms that act on different registers. 
Note that writing out the partial inner product between \f3)RA and |/3)_rb gives 

W\ba\I3)rb = 1{{0\a\0)b + {1\a\1)b) , 
where the operator in the parenthesis "transfers" a qubit from register A to register B. Hence, 

I I = I {P'\abbI{{0\a\0)b + {1\a\1)b)\Q')aAb I 

= 2 ' I ^ABb\Q ) BAB I 
1 

where the last step follows from the fact that the inner product between any two unit vectors on the 
same registers can be at most 1. □ 



5.2 Squeezing Many Vectors in a Small Space 

For the sake of completeness, we reproduce here an argument similar to |NCOO[ Section 4.5.4] about 
covering the state space of dimension d with patches of radius e. 

Lemma 5.2. Let B be a set of 2" distinct unit vectors in a complex Hilhert space of dimension d, 
with pairwise absolute inner product at most 1/2. Then, the dimension d has to be in ri(n). 

Proof. For any two vectors \v), \w), we can rotate the space such that = |0) and \w) = cos 6*10) + 
sin^jl) for two orthogonal vectors |0) and |1). The Euclidean distance between \v) and \w) can be 
expressed as 

I \v) - \w) I = 1(1 - cos6l)|0) - sin6i|l)| 
= y(l-cos6i)2 + sin2 6' 
= Vl - 2 cos 6* + cos2 e + sin^ 6 



14 



If \v) and |w) have absolute inner product at most 1/2, we have that | cos9\ < 1/2 and hence | |w) ~ 
\w) \ > 1. Therefore, the vectors in B have pairwise Euclidean distance at least 1. The set of unit 
vectors \w) with Euclidean distance at most S from \v) is called patch of radius S around \v). It follows 
that patches of radius 1/2 around every vector in the set B do not overlap. 

The space of all d-dimensional state vectors can be regarded as the real unit (2(i— l)-sphere, because 
the vector has d complex amplitudes and hence 2d real degrees of freedom with the restriction that 
the sum of the squared amplitudes is equal to 1. Notice that the Euclidean distance between complex 
vectors \v), \w) remains unchanged if we regard these vectors as points of the real unit {2d— l)-sphere. 

The surface area of a patch of radius 1/2 near any vector is lower bounded by the volume of a 
(2d — 2)-sphere of radius e where £ is a constant slightly less than 1/2 We use the formula Sk{r) = 
2-^{k+i)/2^k/ r((A:+l) /2) for the surface area of a fc-sphere of radius r, and Vfe(r) = 2'K'^'^~^^^/^r'^~^^ /[{k+ 
1) r((/c + l)/2)] for the volume of a fc-sphere of radius r. The total surface area of all patches, which 
is at least 2" • V2d-2{£), is not more than the total surface of the whole sphere 5*2^-1(1)- Inserting the 
formulas, we get 

2" • 2Tr'^^i - < 27r'* 

(2d-i)r(d-i)- r(d) 

Using the fact that '"p^^^''^ < ^ , we conclude that 

2" < ^/^(2 - -)e-(2rf-i) < 2y^£-(2'i-i) . 
d 

As e < 1/2, we obtain that d has to be in ri(n). □ 



5.3 The Lower Bound 

We consider perfect attacks on protocol P\/q^bit from Figure [2j We allow the players one round of 
simultaneous quantum communication which we model as follows. Let \'4') haaAcBBBc pure 
state after Alice received the EPR half from the verifier. The one-qubit register R holds the verifier's 
half of the EPR-pair, the one-qubit register A contains Alice's other half of the EPR-pair, the register 
A is Alice's part of the pre-shared entangled state and the register Aq holds the qubits that will be 
communicated to Bob. The registers BBBc belong to Bob where B holds one qubit and B is Bob's 
part of the entangled state and the Be register will be sent to Alice. We denote by qA the total number 
of qubits in registers A and Ac and by the total number of qubits in B and Be- The overall state 
is thus a unit vector in a complex Hilbert space of dimension d 2^+''^+^+''^. 

In the first step of their attack, Alice performs a unitary transform depending on her classical 
input X on her registers A A Ac- Similarly, Bob performs a unitary transform depending on y on 
registers BBBc- After the application of these transforms, the communication registers Ac and Be 
and the classical inputs x and y are exchanged. A final unitary transform (performed either by Alice 
or Bob) depending on both x,y "unveils" the qubit either in Alice's register A or in Bob's register B. 

Theorem 5.3. Let f be injective for Bob. Assume that Alice and Bob perform a perfect attack on 
protocol PVq„bif Then, the dimension d of the overall state (including the quantum communication) is 
in f2(n). 

^ The patch is a "bended" version of this volume. 



15 



Proof. We assume that the player's actions are unitary transforms as described before the theorem. 

We investigate the set B of overall states after Bob performed his operation, but before Alice acts 
on the state. These states depend on Bob's input y G {0, 1}", 

We claim that for any two different 71-bit strings y ^ y' , the corresponding two vectors V^lip) and 
y in B have an absolute inner product of at most 1/2. 

Due to the injectivity of /, there exists an input x for Alice such that /(x, y) 7^ f{x, y'). Applying 
Alice's unitary transform to both vectors does not change their inner product, i.e. 

M{vy)Wy'm\ = M{vy)\un^u^vy'm . 

As J{x,y) ^ f{x,y'), the qubit has to end up on different sides. Formally, there exist unitary trans- 
forms K^^g^ and Lgj^^^ that "unveil" the qubit in register A or B respectively. Hence, we can 



apply Lemma 5.1 to prove the claim that the two vectors y^j-;/') and Vy lip) have an absolute inner 



product of at most 1/2. In particular, all of the vectors in B are distinct. Applying Lemma 5.2 yields 



the theorem. □ 



5.4 Functions For Which Perfect Attacks Need a Large Space 

Theorem 5.4. For any starting state \ip) of dimension d, there exists a Boolean function on inputs 
x,y d {0, 1}" such that any perfect attack on PV^^tit requires d to be exponential in n. 

Proof (sketch). We consider covering the sphere with K patches of vectors whose pairwise absolute 

inner product is larger than ^ (which corresponds to an Euclidean distance of e = V^\J 1 + a/3/2 « 
0.52). This partitioning also induces a partitioning on all possible unitary operations of Alice and 
Bob. We say that two actions A and A' are in the same patch if they take the starting state to 
the same patch. In other words, if two actions are in the same patch then 

\{^\A'^A\ij)\>^. 

Claim. Given two actions of Alice A, A' coming from the same patch i, and two actions of Bob B, B' 

coming from the same patch j, the inner product between BA\tp) and B'A'\ip) has magnitude at least 
1 

2 ■ 

Proof (of the claim). Since Alice and Bob act on different parts of the state, their actions commute. 
Write \iPa) '■= A'''^ Altp) and IV's) ■— B^B'\ip). Then the inner product can be written as 

{^l;\A"<B''<BA\iP) = {iP\B"fBA"fA\iP) = (V'bIV^a) 

Note that 

= \{m'^A\tp)\ > y^, 

so the angle 6 between Hja) and 1-0) is at most arccos ^ = f ■ The same holds for the angle between 
IV'b) and \tp). We can upper bound the total angle between {iPa) and \iPb) by the sum of these angles, 
giving a total angle of at most ^ . This corresponds to a lower bound on the inner product of cos f = 5 ■ 

□ 



16 



So there exists no pair of combined actions AB and A'B' , with A and A' in patch i and B and B' 
in patch j, such that the qubit ends up on AHce's side for AB and on Bob's side for A'B' . Therefore, 
the combination of i and j completely determines the destination of the qubit and hence the output 
of the function. If K denotes the number of patches, then there are possible strategies for Alice 
and possible strategies for Bob. Hence, the number of combined strategies (possibly resulting in 
different functions) is at most K^'^ . 

It is shown in [NCOOi Section 4.5.4] that we need at least K — $1(73^) patches. Using the same 



counting argument as in Proposition 4.11 we have that 



g((i--l)2-2" 

from which follows that for some function, d has to be exponential in n. □ 



6 Conclusion and Open Questions 

We defined the garden-hose model and gave first results for the analysis of a specific scheme for 
quantum position-based cryptography. This scheme only requires the honest prover to work with a 
single qubit, while the dishonest provers potentially have to manipulate a large quantum state, making 
it an appealing scheme to further examine. The garden-hose model captures the power of attacks that 
only use teleportation, giving upper bounds for the general scheme, and lower bounds when restricted 
to these attacks. 

The garden-hose model is a new model of communication complexity, and there are many open 
questions in relation to this model. Can we find better upper and lower bounds for the garden- 
hose complexity of the studied functions? The constructions given in |Spell| still leave a polynomial 
gap between lower and upper bounds for many functions. It would also be interesting to find an 
explicit function for which the garden-hose complexity is provably large, the counting argument in 
Proposition |4. 1 1| only shows the existence of such functions. 

Another relevant extension to our results is the examination of the randomized case: If we allow 
Alice and Bob to give the wrong answer with small probability, what are the lower and upper bounds 
we can prove in the garden-hose model? For example, assuming shared randomness between Alice and 
Bob, we can use results from communication complexity to show a large gap between the randomized 
garden-hose complexity of the equality function, and the deterministic garden-hose complexity of 
equality. 

A possible interesting extra restriction on the garden-hose model would involve limiting the com- 
putational power of Alice and Bob. For example to polynomial time, or the output of quantum circuits 
of polynomial size. By bounding not only the amount of entanglement, but also the amount of com- 
putation with a realistic limit, perhaps stronger security proofs are possible. 

On the other hand, one could also consider the quantum garden-hose model where Alice and 
Bob are additionally allowed to use shared entanglement. In order to keep the correspondence with 
quantum attacks on position-verification protocols, one would have to take into account both the 
number of required pipes and the size of the auxiliary entangled state the players use. 

As a final question, we can ask: How does the protocol behave under parallel repetition? When 
executing the protocol once, the dishonest provers always have a large probability of cheating the 
verifiers; even the nai've method of measuring the qubit and distributing the result will work with 
a probability of at least 0.75. By using the protocol multiple times in parallel, given a situation 
where the adversaries have a small error, it might be possible to increase the probability that the 
dishonest provers are caught to arbitrarily close to 1. However, from complexity theory we know 



17 



similar situations where provers can achieve a lower error probability than expected on first sight. In 
our setting, it remains to be proven that we can always amplify the probability of the cheaters getting 
caught. 

Acknowledgments 

HB and FS are supported by an NWO Vici grant and the EU project QCS. CS is supported by 
an NWO Veni grant. We thank Louis Salvail for useful discussions about the protocol PV^^bit and 
Matthias Christandl for pointing out to us Lemma [X2| 

References 

Bar89. David A. Barrington. Bounded-width polynomial-size branching programs recognize exactly those 
languages in NCI. Journal of Computer and System Sciences, 164:150-164, 1989. 

BC94. Stefan Brands and David Chaum. Distance-bounding protocols. In EUROCRYPT'93, pages 344- 
359. Springer, 1994. 

BCF^ll. Harry Buhrman, Nishanth Chandran, Serge Fehr, Ran Gelles, Vipul Goyal, Rafail Ostrovsky, and 
Christian Schaffner. Position-based quantum cryptography: Impossibility and constructions. In 
Phillip Rogaway, editor. Advances in Cryptology CRYPTO 2011, volume 6841 of Lecture Notes in 
Computer Science, pages 429-446. Springer Berlin / Heidelberg, 2011. 

BKll. Salman Beigi and Robert Konig. Simplified instantaneous non-local quantum computation with 
applications to position-based cryptography. arXiv:1101.1065vl, .lanuary 2011. 

Bus04. Laurent Bussard. Trust Establishment Protocols for Communicating Devices. PhD thesis, Eurecom- 
ENST, 2004. 

CCS06. Srdjan Capkun, Mario Cagalj, and Mani Srivastava. Secure localization with hidden and mobile 
base stations. In IEEE INFOCOM, 2006. 

CFG^IO. Nishanth Chandran, Serge Fehr, Ran Gelles, Vipul Goyal, and Rafail Ostrovsky. Position-based 
quantum cryptography. arXiv:1005.1750v2, May 2010. 

CGMO09. Nishanth Chandran, Vipul Goyal, Ryan Moriarty, and Rafail Ostrovsky. Position based cryptog- 
raphy In CRYPTO 2009, pages 391-407. Springer, 2009. 

CH05. Srdjan Capkun and Jean-Pierre Hubaux. Secure positioning of wireless devices with application 
to sensor networks. In IEEE INFOCOM, pages 1917-1928, 2005. 

IH08. Satoshi Ishizaka and Tohya Hiroshima. Asymptotic teleportation scheme as a universal pro- 
grammable quantum processor. Phys. Rev. Lett., 101(24):240501, Dec 2008. 

IH09. Satoshi Ishizaka and Tohya Hiroshima. Quantum teleportation scheme by selecting one of multiple 
output ports. Phys. Rev. A, 79(4):042306, Apr 2009. 

KMSll. Adrian Kent, William J. Munro, and Timothy P. Spiller. Quantum tagging: Authenticating location 
via quantum information and relativistic signaling constraints. Phys. Rev. A, 84:012326, Jul 2011. 

KMSB06. Adrian Kent, William Munro, Tomothy Spiller, and Raymond Beausoleil. Tagging systems, 2006. 
US patent nr 2006/0022832. 

LBZ02. Jay Lawrence, Caslav Brukner, and Anton Zeilinger. Mutually unbiased binary observable sets on 
N qubits. Physical Review A, 65(3): 1-5, February 2002. 

LLll. Hoi-Kwan Lau and Hoi-Kwong Lo. Insecurity of position-based quantum-cryptography protocols 
against entanglement attacks. Phys. Rev. A, 83(1):012322, Jan 2011. 

LMT97. K.-J. Lange, Pierre McKenzie, and Alain Tapp. Reversible space equals deterministic space. In 
Proceedings of Computational Complexity. Twelfth Annual IEEE Conference, pages 45-50. IEEE 
Comput. Soc, April 1997. 

MallOa. Robert A. Malaney. Location-dependent communications using quantum entanglement. Phys. 

Rev. A, 81(4):042319, Apr 2010. 
MallOb. Robert A. Malaney. Quantum location verification in noisy channels, Apr 2010. arXiv:1004.4689vl. 



18 



NCOO. Michael A. Nielsen and Isaac L. Chuang. Quantum Computation and Quantum Information. 

Cambridge university press, 2000. 
SP05. Dave Singelee and Bart Preneel. Location verification using secure distance bounding protocols. 

In IEEE MASS'lO, 2005. 

Spell. Florian Speelman. Position-based quantum cryptography and the garden- hose game. Master's 

thesis, University of Amsterdam, 2011. 
SSW03. Naveen Sastry, Umesh Shankar, and David Wagner. Secure verification of location claims. In 

WiSe'03, pages 1-10, 2003. 

VN04. Adnan Vora and Mikhail Nesterenko. Secure location verification using radio broadcast. In 

OPODIS'04, pages 369-383, 2004. 
ZLFW06. Yanchao Zhang, Wei Liu, Yuguang Fang, and Dapcng Wu. Secure localization and authentication 

in ultra-wideband sensor networks. IEEE Journal on Selected Areas in Communications, 24:829- 

835, 2006. 



19 



